rsa_sp800_56b_check.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446
  1. /*
  2. * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include <openssl/err.h>
  11. #include <openssl/bn.h>
  12. #include "crypto/bn.h"
  13. #include "rsa_local.h"
  14. /*
  15. * Part of the RSA keypair test.
  16. * Check the Chinese Remainder Theorem components are valid.
  17. *
  18. * See SP800-5bBr1
  19. * 6.4.1.2.3: rsakpv1-crt Step 7
  20. * 6.4.1.3.3: rsakpv2-crt Step 7
  21. */
  22. int ossl_rsa_check_crt_components(const RSA *rsa, BN_CTX *ctx)
  23. {
  24. int ret = 0;
  25. BIGNUM *r = NULL, *p1 = NULL, *q1 = NULL;
  26. /* check if only some of the crt components are set */
  27. if (rsa->dmp1 == NULL || rsa->dmq1 == NULL || rsa->iqmp == NULL) {
  28. if (rsa->dmp1 != NULL || rsa->dmq1 != NULL || rsa->iqmp != NULL)
  29. return 0;
  30. return 1; /* return ok if all components are NULL */
  31. }
  32. BN_CTX_start(ctx);
  33. r = BN_CTX_get(ctx);
  34. p1 = BN_CTX_get(ctx);
  35. q1 = BN_CTX_get(ctx);
  36. if (q1 != NULL) {
  37. BN_set_flags(r, BN_FLG_CONSTTIME);
  38. BN_set_flags(p1, BN_FLG_CONSTTIME);
  39. BN_set_flags(q1, BN_FLG_CONSTTIME);
  40. ret = 1;
  41. } else {
  42. ret = 0;
  43. }
  44. ret = ret
  45. /* p1 = p -1 */
  46. && (BN_copy(p1, rsa->p) != NULL)
  47. && BN_sub_word(p1, 1)
  48. /* q1 = q - 1 */
  49. && (BN_copy(q1, rsa->q) != NULL)
  50. && BN_sub_word(q1, 1)
  51. /* (a) 1 < dP < (p – 1). */
  52. && (BN_cmp(rsa->dmp1, BN_value_one()) > 0)
  53. && (BN_cmp(rsa->dmp1, p1) < 0)
  54. /* (b) 1 < dQ < (q - 1). */
  55. && (BN_cmp(rsa->dmq1, BN_value_one()) > 0)
  56. && (BN_cmp(rsa->dmq1, q1) < 0)
  57. /* (c) 1 < qInv < p */
  58. && (BN_cmp(rsa->iqmp, BN_value_one()) > 0)
  59. && (BN_cmp(rsa->iqmp, rsa->p) < 0)
  60. /* (d) 1 = (dP . e) mod (p - 1)*/
  61. && BN_mod_mul(r, rsa->dmp1, rsa->e, p1, ctx)
  62. && BN_is_one(r)
  63. /* (e) 1 = (dQ . e) mod (q - 1) */
  64. && BN_mod_mul(r, rsa->dmq1, rsa->e, q1, ctx)
  65. && BN_is_one(r)
  66. /* (f) 1 = (qInv . q) mod p */
  67. && BN_mod_mul(r, rsa->iqmp, rsa->q, rsa->p, ctx)
  68. && BN_is_one(r);
  69. BN_clear(r);
  70. BN_clear(p1);
  71. BN_clear(q1);
  72. BN_CTX_end(ctx);
  73. return ret;
  74. }
  75. /*
  76. * Part of the RSA keypair test.
  77. * Check that (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2) - 1
  78. *
  79. * See SP800-5bBr1 6.4.1.2.1 Part 5 (c) & (g) - used for both p and q.
  80. *
  81. * (√2)(2^(nbits/2 - 1) = (√2/2)(2^(nbits/2))
  82. */
  83. int ossl_rsa_check_prime_factor_range(const BIGNUM *p, int nbits, BN_CTX *ctx)
  84. {
  85. int ret = 0;
  86. BIGNUM *low;
  87. int shift;
  88. nbits >>= 1;
  89. shift = nbits - BN_num_bits(&ossl_bn_inv_sqrt_2);
  90. /* Upper bound check */
  91. if (BN_num_bits(p) != nbits)
  92. return 0;
  93. BN_CTX_start(ctx);
  94. low = BN_CTX_get(ctx);
  95. if (low == NULL)
  96. goto err;
  97. /* set low = (√2)(2^(nbits/2 - 1) */
  98. if (!BN_copy(low, &ossl_bn_inv_sqrt_2))
  99. goto err;
  100. if (shift >= 0) {
  101. /*
  102. * We don't have all the bits. ossl_bn_inv_sqrt_2 contains a rounded up
  103. * value, so there is a very low probability that we'll reject a valid
  104. * value.
  105. */
  106. if (!BN_lshift(low, low, shift))
  107. goto err;
  108. } else if (!BN_rshift(low, low, -shift)) {
  109. goto err;
  110. }
  111. if (BN_cmp(p, low) <= 0)
  112. goto err;
  113. ret = 1;
  114. err:
  115. BN_CTX_end(ctx);
  116. return ret;
  117. }
  118. /*
  119. * Part of the RSA keypair test.
  120. * Check the prime factor (for either p or q)
  121. * i.e: p is prime AND GCD(p - 1, e) = 1
  122. *
  123. * See SP800-56Br1 6.4.1.2.3 Step 5 (a to d) & (e to h).
  124. */
  125. int ossl_rsa_check_prime_factor(BIGNUM *p, BIGNUM *e, int nbits, BN_CTX *ctx)
  126. {
  127. int ret = 0;
  128. BIGNUM *p1 = NULL, *gcd = NULL;
  129. /* (Steps 5 a-b) prime test */
  130. if (BN_check_prime(p, ctx, NULL) != 1
  131. /* (Step 5c) (√2)(2^(nbits/2 - 1) <= p <= 2^(nbits/2 - 1) */
  132. || ossl_rsa_check_prime_factor_range(p, nbits, ctx) != 1)
  133. return 0;
  134. BN_CTX_start(ctx);
  135. p1 = BN_CTX_get(ctx);
  136. gcd = BN_CTX_get(ctx);
  137. if (gcd != NULL) {
  138. BN_set_flags(p1, BN_FLG_CONSTTIME);
  139. BN_set_flags(gcd, BN_FLG_CONSTTIME);
  140. ret = 1;
  141. } else {
  142. ret = 0;
  143. }
  144. ret = ret
  145. /* (Step 5d) GCD(p-1, e) = 1 */
  146. && (BN_copy(p1, p) != NULL)
  147. && BN_sub_word(p1, 1)
  148. && BN_gcd(gcd, p1, e, ctx)
  149. && BN_is_one(gcd);
  150. BN_clear(p1);
  151. BN_CTX_end(ctx);
  152. return ret;
  153. }
  154. /*
  155. * See SP800-56Br1 6.4.1.2.3 Part 6(a-b) Check the private exponent d
  156. * satisfies:
  157. * (Step 6a) 2^(nBit/2) < d < LCM(p–1, q–1).
  158. * (Step 6b) 1 = (d*e) mod LCM(p–1, q–1)
  159. */
  160. int ossl_rsa_check_private_exponent(const RSA *rsa, int nbits, BN_CTX *ctx)
  161. {
  162. int ret;
  163. BIGNUM *r, *p1, *q1, *lcm, *p1q1, *gcd;
  164. /* (Step 6a) 2^(nbits/2) < d */
  165. if (BN_num_bits(rsa->d) <= (nbits >> 1))
  166. return 0;
  167. BN_CTX_start(ctx);
  168. r = BN_CTX_get(ctx);
  169. p1 = BN_CTX_get(ctx);
  170. q1 = BN_CTX_get(ctx);
  171. lcm = BN_CTX_get(ctx);
  172. p1q1 = BN_CTX_get(ctx);
  173. gcd = BN_CTX_get(ctx);
  174. if (gcd != NULL) {
  175. BN_set_flags(r, BN_FLG_CONSTTIME);
  176. BN_set_flags(p1, BN_FLG_CONSTTIME);
  177. BN_set_flags(q1, BN_FLG_CONSTTIME);
  178. BN_set_flags(lcm, BN_FLG_CONSTTIME);
  179. BN_set_flags(p1q1, BN_FLG_CONSTTIME);
  180. BN_set_flags(gcd, BN_FLG_CONSTTIME);
  181. ret = 1;
  182. } else {
  183. ret = 0;
  184. }
  185. ret = (ret
  186. /* LCM(p - 1, q - 1) */
  187. && (ossl_rsa_get_lcm(ctx, rsa->p, rsa->q, lcm, gcd, p1, q1,
  188. p1q1) == 1)
  189. /* (Step 6a) d < LCM(p - 1, q - 1) */
  190. && (BN_cmp(rsa->d, lcm) < 0)
  191. /* (Step 6b) 1 = (e . d) mod LCM(p - 1, q - 1) */
  192. && BN_mod_mul(r, rsa->e, rsa->d, lcm, ctx)
  193. && BN_is_one(r));
  194. BN_clear(r);
  195. BN_clear(p1);
  196. BN_clear(q1);
  197. BN_clear(lcm);
  198. BN_clear(gcd);
  199. BN_CTX_end(ctx);
  200. return ret;
  201. }
  202. #ifndef FIPS_MODULE
  203. static int bn_is_three(const BIGNUM *bn)
  204. {
  205. BIGNUM *num = BN_dup(bn);
  206. int ret = (num != NULL && BN_sub_word(num, 3) && BN_is_zero(num));
  207. BN_free(num);
  208. return ret;
  209. }
  210. #endif /* FIPS_MODULE */
  211. /* Check exponent is odd, and has a bitlen ranging from [17..256] */
  212. int ossl_rsa_check_public_exponent(const BIGNUM *e)
  213. {
  214. int bitlen;
  215. /* For legacy purposes RSA_3 is allowed in non fips mode */
  216. #ifndef FIPS_MODULE
  217. if (bn_is_three(e))
  218. return 1;
  219. #endif /* FIPS_MODULE */
  220. bitlen = BN_num_bits(e);
  221. return (BN_is_odd(e) && bitlen > 16 && bitlen < 257);
  222. }
  223. /*
  224. * SP800-56Br1 6.4.1.2.1 (Step 5i): |p - q| > 2^(nbits/2 - 100)
  225. * i.e- numbits(p-q-1) > (nbits/2 -100)
  226. */
  227. int ossl_rsa_check_pminusq_diff(BIGNUM *diff, const BIGNUM *p, const BIGNUM *q,
  228. int nbits)
  229. {
  230. int bitlen = (nbits >> 1) - 100;
  231. if (!BN_sub(diff, p, q))
  232. return -1;
  233. BN_set_negative(diff, 0);
  234. if (BN_is_zero(diff))
  235. return 0;
  236. if (!BN_sub_word(diff, 1))
  237. return -1;
  238. return (BN_num_bits(diff) > bitlen);
  239. }
  240. /*
  241. * return LCM(p-1, q-1)
  242. *
  243. * Caller should ensure that lcm, gcd, p1, q1, p1q1 are flagged with
  244. * BN_FLG_CONSTTIME.
  245. */
  246. int ossl_rsa_get_lcm(BN_CTX *ctx, const BIGNUM *p, const BIGNUM *q,
  247. BIGNUM *lcm, BIGNUM *gcd, BIGNUM *p1, BIGNUM *q1,
  248. BIGNUM *p1q1)
  249. {
  250. return BN_sub(p1, p, BN_value_one()) /* p-1 */
  251. && BN_sub(q1, q, BN_value_one()) /* q-1 */
  252. && BN_mul(p1q1, p1, q1, ctx) /* (p-1)(q-1) */
  253. && BN_gcd(gcd, p1, q1, ctx)
  254. && BN_div(lcm, NULL, p1q1, gcd, ctx); /* LCM((p-1, q-1)) */
  255. }
  256. /*
  257. * SP800-56Br1 6.4.2.2 Partial Public Key Validation for RSA refers to
  258. * SP800-89 5.3.3 (Explicit) Partial Public Key Validation for RSA
  259. * caveat is that the modulus must be as specified in SP800-56Br1
  260. */
  261. int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
  262. {
  263. int ret = 0, status;
  264. int nbits;
  265. BN_CTX *ctx = NULL;
  266. BIGNUM *gcd = NULL;
  267. if (rsa->n == NULL || rsa->e == NULL)
  268. return 0;
  269. nbits = BN_num_bits(rsa->n);
  270. #ifdef FIPS_MODULE
  271. /*
  272. * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
  273. * NOTE: changed to allow keys >= 2048
  274. */
  275. if (!ossl_rsa_sp800_56b_validate_strength(nbits, -1)) {
  276. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEY_LENGTH);
  277. return 0;
  278. }
  279. #endif
  280. if (!BN_is_odd(rsa->n)) {
  281. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS);
  282. return 0;
  283. }
  284. /* (Steps b-c): 2^16 < e < 2^256, n and e must be odd */
  285. if (!ossl_rsa_check_public_exponent(rsa->e)) {
  286. ERR_raise(ERR_LIB_RSA, RSA_R_PUB_EXPONENT_OUT_OF_RANGE);
  287. return 0;
  288. }
  289. ctx = BN_CTX_new_ex(rsa->libctx);
  290. gcd = BN_new();
  291. if (ctx == NULL || gcd == NULL)
  292. goto err;
  293. /* (Steps d-f):
  294. * The modulus is composite, but not a power of a prime.
  295. * The modulus has no factors smaller than 752.
  296. */
  297. if (!BN_gcd(gcd, rsa->n, ossl_bn_get0_small_factors(), ctx)
  298. || !BN_is_one(gcd)) {
  299. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS);
  300. goto err;
  301. }
  302. ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
  303. #ifdef FIPS_MODULE
  304. if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
  305. #else
  306. if (ret != 1 || (status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME
  307. && (nbits >= RSA_MIN_MODULUS_BITS
  308. || status != BN_PRIMETEST_COMPOSITE_WITH_FACTOR))) {
  309. #endif
  310. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_MODULUS);
  311. ret = 0;
  312. goto err;
  313. }
  314. ret = 1;
  315. err:
  316. BN_free(gcd);
  317. BN_CTX_free(ctx);
  318. return ret;
  319. }
  320. /*
  321. * Perform validation of the RSA private key to check that 0 < D < N.
  322. */
  323. int ossl_rsa_sp800_56b_check_private(const RSA *rsa)
  324. {
  325. if (rsa->d == NULL || rsa->n == NULL)
  326. return 0;
  327. return BN_cmp(rsa->d, BN_value_one()) >= 0 && BN_cmp(rsa->d, rsa->n) < 0;
  328. }
  329. /*
  330. * RSA key pair validation.
  331. *
  332. * SP800-56Br1.
  333. * 6.4.1.2 "RSAKPV1 Family: RSA Key - Pair Validation with a Fixed Exponent"
  334. * 6.4.1.3 "RSAKPV2 Family: RSA Key - Pair Validation with a Random Exponent"
  335. *
  336. * It uses:
  337. * 6.4.1.2.3 "rsakpv1 - crt"
  338. * 6.4.1.3.3 "rsakpv2 - crt"
  339. */
  340. int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
  341. int strength, int nbits)
  342. {
  343. int ret = 0;
  344. BN_CTX *ctx = NULL;
  345. BIGNUM *r = NULL;
  346. if (rsa->p == NULL
  347. || rsa->q == NULL
  348. || rsa->e == NULL
  349. || rsa->d == NULL
  350. || rsa->n == NULL) {
  351. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_REQUEST);
  352. return 0;
  353. }
  354. /* (Step 1): Check Ranges */
  355. if (!ossl_rsa_sp800_56b_validate_strength(nbits, strength))
  356. return 0;
  357. /* If the exponent is known */
  358. if (efixed != NULL) {
  359. /* (2): Check fixed exponent matches public exponent. */
  360. if (BN_cmp(efixed, rsa->e) != 0) {
  361. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_REQUEST);
  362. return 0;
  363. }
  364. }
  365. /* (Step 1.c): e is odd integer 65537 <= e < 2^256 */
  366. if (!ossl_rsa_check_public_exponent(rsa->e)) {
  367. /* exponent out of range */
  368. ERR_raise(ERR_LIB_RSA, RSA_R_PUB_EXPONENT_OUT_OF_RANGE);
  369. return 0;
  370. }
  371. /* (Step 3.b): check the modulus */
  372. if (nbits != BN_num_bits(rsa->n)) {
  373. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
  374. return 0;
  375. }
  376. ctx = BN_CTX_new_ex(rsa->libctx);
  377. if (ctx == NULL)
  378. return 0;
  379. BN_CTX_start(ctx);
  380. r = BN_CTX_get(ctx);
  381. if (r == NULL || !BN_mul(r, rsa->p, rsa->q, ctx))
  382. goto err;
  383. /* (Step 4.c): Check n = pq */
  384. if (BN_cmp(rsa->n, r) != 0) {
  385. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_REQUEST);
  386. goto err;
  387. }
  388. /* (Step 5): check prime factors p & q */
  389. ret = ossl_rsa_check_prime_factor(rsa->p, rsa->e, nbits, ctx)
  390. && ossl_rsa_check_prime_factor(rsa->q, rsa->e, nbits, ctx)
  391. && (ossl_rsa_check_pminusq_diff(r, rsa->p, rsa->q, nbits) > 0)
  392. /* (Step 6): Check the private exponent d */
  393. && ossl_rsa_check_private_exponent(rsa, nbits, ctx)
  394. /* 6.4.1.2.3 (Step 7): Check the CRT components */
  395. && ossl_rsa_check_crt_components(rsa, ctx);
  396. if (ret != 1)
  397. ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
  398. err:
  399. BN_clear(r);
  400. BN_CTX_end(ctx);
  401. BN_CTX_free(ctx);
  402. return ret;
  403. }